David A. Krausz, whose personal injury law practice is in San Francisco , has notified clients about a breach:
On January 6, 2015*, Law Offices of David A. Krausz, P.C. experienced the theft of a laptop computer that contained identifying client information including names, social security numbers and dates of birth. As a result of this incident, information identifiable with you was potentially exposed to others. The theft was reported to the San Francisco Police Department and a report was filed.
[…]
We regret this incident and inconvenience or concern this situation may cause, but we believe it is important for you to be fully informed of any potential risk resulting from this incident. Again we want to reassure you we have no evidence that your protected data has been misused. We take our obligation to serve our current and former clients very seriously and we are committed to protecting your privacy at the highest level possible.
So if the law firm protects privacy “at the highest possible level,” what physical and technical safeguards were in place at the time of the theft? And where was the laptop at the time of the theft? And why weren’t those notified offered any free credit monitoring services if Social Security numbers and dates of birth were involved?
The January 12th notification, a copy of which was submitted to the California Attorney General’s Office, does not indicate how many clients had data on the stolen laptop. Nor does it explain why data from former clients may still have been on the laptop at the time of the theft.
*Note: the metadata provided to California indicated that the breach occurred on January 5 and was discovered on January 6. The notification letter states the theft occurred on January 6. DataBreaches.net is not sure which date is the accurate one.